WP Ultimate CSV Importer <= 3.6.74 – Database Table Export | Plugin Vulnerabilities

Description

Due to lack of verification of a visitors permissions, it is possible to execute the ‘export.php’ script included in the default installation of this plugin, and retrieve the full contents of the user table in the WordPress installation. This results in full disclosure of usernames, hashed passwords and email addresses for all users.

After update 3.6.74, a change to the ‘export.php’ script was made, which required a REFERER header to be passed through in the request. After this header is added (as in the second PoC), the behaviour is exactly the same, resulting in full disclosure of usernames, hashed passwords and email addresses for all users.

Affects Plugins

wp-ultimate-csv-importer

Fixed in 3.6.75

References

URL

https://g0blin.co.uk/g0blin-00025/

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

Verified

Yes

WPVDB ID

fc4865d1-00b9-4594-99d2-e2a3fc0d3951

Timeline

Publicly Published

2015-02-22 (about 11 years ago)

Added

2015-02-02 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2022-01-06

Title

IP2Location Country Blocker < 2.26.5 - Ban Bypass

Published

2020-02-25

Title

Pricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions

Published

2017-03-06

Title

WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation

Published

2024-06-04

Title

BuddyForms < 2.8.10 - Email Verification Bypass due to Insufficient Randomness

Published

2020-12-14

Title

Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass